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(54) Secu re printing 

(57) In a distributed computing environment, a user 
IS able to send a document to a secure printer 140 In 
such a way that only the intended redplent can print the 
document When the user specifies that the dcwximent 
is to be printed securely, a special print job is created in 
which the document encrypted under the recipient*© 
public key. Then, when a print server 130 receives the 
print job, it is incapable of printing it, as it is encrypted. 



and the job is held. When the recipient's smart card 145 
is inserted into a smart card reader of the secure printer 
140. the recipient's identity from the smart card is used 
to search for and retrieve documents from the print 
server 130 for the recipient, and private key information 
on the smart card 145 is used to enable decryption and 
printing of the document by the printer. 
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Description 

Technical Field 

[0001 ] The present invention relates to hardcopy pro- 
duction of dociiments artd particularly, but not exclu- 
sively, to docurnem printing. 

Background Art 

[0002] It is well known to generate or design a docu 
ment using a computer-based text editing or graphics 
package, for exampte Microsoft Word or Microsoft Excel 
respectively. Once generated, a document is typicaKy 
formatted by the package into a data file that comprises, 
for exampte, PCL or PostScript data, which is interpret- 
able t>y a hardcopy device such as a printer. The docu- 
ment data fife can be £em directly by the package to a 
printer to be printed^ or can be stored for printing at a 
later time. 

10003] This principle typically applies to all types of 
printer, for example laser primers, ink jet printers, 
impact printers and thermal printers, and in general to 
other hardcopy devrces such as plottei^ or feicsimife 
machines. 

(0004} For The sake of oor^venience of description 
herein, the term "document" will hereafter be used as a 
conver\jeni term to denote a document in any state, 
including when viewed on a computer display, when for- 
matted as a hardcopy apparatus-readatjfe data file 
ready for rendering, and when in hardcopy form. The 
Stat© the document at any point in the description 
depends on the conte«. Afso. the temr» "document' will 
be used to describe a textual, graphical, or mixed repre- 
sentations. 

[0005J The advent of distributed computer systems 
has made d possible for a single 'network' printer to be 
used by multiple users. Typically network printers are 
attached to computing platforms operating as print serv- 
ers within distributed systems. Alternatively some print- 
ers, given appropriate interfaces, can be arranged to 
connect directly to the network of a distributed system. 
[0006] Network printers, whether connected directly, 
or via a print server, to a network, can provide a sub- 
stantial cost advantage, since each user need not have 
his own printer connected to. or located near to, his own 
computer system. 

[0007] The ability to access network printers, and 
other devices, from a local computer, is readily sup- 
ported by operating systems such as Unix, or Micro- 
soft's Windows NT, which are designed to be configured 
to manage distributed operations such as remote print- 
ing or data management. 

(0008] One problem with printing documents on 
remote network printers is that any person near to the 
printer could remove or read printed documents con- 
taining sensitive infornrtatiori. which do not belong to 
th&m, before the correct recipients are aWe to rertrieve 



the documents. One way around this is for users who 
need to print sensttivQ documents to atmnge for a 
trusted person to stand the prirtter while the docu- 
ment fc printing and collect the document as soon as it 

5 has printed. This rs, of course, inconvenient. 

[0009] Another way to increase security is to prirrt sen - 
sttiva documents only on a tocal prirtter. The latter case, 
however, undermines any cost advantages gained in 
having a centrally located, network printer, espocialty if 

w many users need to print sensitive documents. 

[001 0] Ar>other problem associated with remote print- 
ing of sensitive documents is that a malicious party 
• could intercept or monitor the transfer of data between 
the local computer and network printer. For example, 

15 anyone with access to a print spooler or print server 
receiving the document for printing could access the 
document This would be highly undesiral^le and, again, 
could Overcome by usin^ a local printer attached 
directly to the originating computer Instead- 

20 

Disclosure of the Inverttion 

[0011] Aspects of the present Jrtvention aim to 
increase the security of remote printing. 

^. [001 2J In accordance with a first aspect^ the present 
inventran provides hardcc^y apparatus conprising 
interface means for receiving trom a dcxjument store an 
encrypted document, processing means configured for 
decrypting the encrypted document and rendering 

3c? means for producing a hard copy of a decrypted docu- 
ment, 

[0013] This aspect of the invention provides a secure 
mechanism in which a document can be encrypted prior 
to ft beir^ sent for rerKlering by the hardcopy apparatus- 

3S The hardcopy apparatus, such as a printer, is config- 
ured to receive and decrypt encrypted documents prior 
to produdng a hard copy of the document. 
[0014] Thus, even if a docunr^ent were intercepted dur- 
ing transfer between 3 computer and network printer, 

40 say. it would be a non-trivial task for the intercepting 
parly to decrypt the document. 

[001 SJ In a preferred errtrodiment of the invention, the 
hardcopy apparatus further comprises rnput^output 
means for communicating with a removable processing 
45 means. 

[001 6] Preferably, the input/output means is a smart 
card reader and the removable processing means is a 
smart card received by the smart card reader. 
[001 7] TTie processing means may then be configured 

50 for receiving inforrnation from the smart card reader, 
when a smart card is received theretjy, and using the 
information to retrieve and decrypt an encrypted docu- 
ment. It would be possiWe to supply information 
LTsing. for example, a keypad, or even a swipe card 

ss reader, but a smaa card is perceived by the applicants 
to be far more convenient. 

[0018] In a preferred en^KXlrment, the processing 
means is configured for receiving from the smart card 
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an kJentrty. sending a first n^eseage via the interfac© 
means to the ctocument source, the massage including 
at least an indication of the identity, and receiving from 
the document eourcQ via tho interfece means* in 
response to the first message, a return nr^essage indud- 5 
ing at least an encrypted session key for an encrypted 
docunr>ent stored by the document source and having a 
matching Identity. 

[001 9] Thus, the identity on ^ snrart card is passed 
to the document source in order for the document to 
source to search for and return an erxrypted session 
key for any documents that have a matdiing identity. At 
this stage, the document source may also return the 
encrypted document However. *tf^is would deper>d on 
the amount of storage available to the hardcopy device 15 
for temporarily storing documents. 
[0020] The hardcopy apparatus ia then, preferably 
configured for sending the encrypted session key to the 
sman cand reader, for the smart card to extract the ses- 
sion key. and receiving back the session l<ey The ^ 
processing means may then be configured tor using the 
session key to decrypt the encrypted document. 
[0021] Thts approach has the advantage that the pri- 
vate Key used to decrypt the session key need not leave 
the smart card. The irnplicalion of this is that the overall 25 
mechanism relies on a secret that never becomes 
known to the printer or any other part of the distributed 
system. 

[0022] Typically, the document store takes the form of 
a special print server which is configured to receive ao 
encrypted documents for printing and storing the docu- 
ments until a request message for a docurnent is 
received from, for example, hardcopy apparatus config- 
ured according to the preserrt invention. The form of the 
document store will be described in more detail below, 
[0023] In this way. the actual hardccw Production can 
be initiated by a user inserting a smart card into the 
hardcopy apparatus's smart card reader at any time 
aiter the encrypted document has been submitted to the 
document stora 40 
[0024] This has the advantage that once a document 
has been submtlted for rendering, it is held by the docu- 
ment store until a remote party inserts a smart card into 
a remote hardcopy apparatus. Accordingly, the haid- 
copy of the document Is only produced when it is con- 4S 
venient for the recipient, who may or may not be the 
same person as the sender, to retrieve the document in 
person, 

[002S] Preferatjjy. the information received from the 
smart caiti includes an iderrtrty, for example the identity 50 
of the owner of the smart card, and the hardcopy appa- 
ratus is configured to send a message including the 
identity to the documem store. In response, the docu- 
ment store can determine whether it has a stored docu- 
ment with a matching identity. arxJ forward the 55 
document to the hardcopy apparatus. TypicaJly. in this 
case, documents will be. submitted with associated 
idenirty information to the document store fer rendering. 



[0026] In the preferred embodiment to be d^^scribed, 
a user is able to ser^d a document ta a secure prirrter in 
such a wway that only the intended recipient cari pnnt the 
document When the user ^>6Cines that the document 
is to be printed securely, a special print job is created In 
which the document ts encrypted under the recipient's 
public Key. Then, when the document store receives the 
print job. it is incapable of printing it as it is ertoypted, 
and the job is held. When the reaptent's snwt card is 
inserted into the secure printer, the recipient's identity 
from the smart card is used to search for and retrieve 
documerrts tor the recipient, and private key infornnaiion 
on the smart card is used to enable decryption and 
printing of the document by the printer 
[0027] In accordance with a second aspoct. the 
present invention provides a method of controllir>g hard- 
copy apparatus to rerxier an encrypted document com- 
prising the steps of retrieving from a document source 
an encrypted docun^nt decrypting the encrypted doc- 
ument, and rendering the document to produce a hard- 
copy thereof. 

[0028] Jn accordance with a third aspect the present 
invention provides a computer system arrartged for 
secure rendering of documents, the system comprising 
secure printing means for encrypting a document for an 
intended reciptenl and fbrwarding to a document store 
means the encrypted document with identity informa- 
tion of the intended recqalent document store means for 
receiving encrypted documents and respective identity 
information and storing said encrypted documents and 
respective information, and for receiving requests from 
hardcopy apparatus for documerrts having a specific 
idenlily and sending respective documents to the 
respective requeuing hardcopy apparatus, and hard- 
copy apparatus arranged for requesting of the docu- 
ment store means transfer of encrypted documents 
having a spedftc identity, decrypting received docu- 
ments and rendering in hardcopy form decrypted docu- 
ments. 

[0Q29] Ln accordance with a fourth aspect, the present 
invention provides a document server, comprising doc- 
umerrt processing means arranged for recmving 
encrypted documents, storing enaypted doctAnents. 
receiving requests for specific documents, searching 
the stored documents for the specific documents, and 
returning found documents to the requesting party. 

Sriel Description of the Drawings 

[0030] An embodiment of the present invention will 
now be described, by way of example only, wrth refer- 
ence to the accompanying drawing, of w\^ich: 

Rgure 1 is a diagram which illustrates a distributed 
computing environment which supports secure 
printing in accordance with an embodiment of the 
present invention: 

Rgure 2 is a block diagram of an architecture for a 
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printer according to the present embodimertt; 
Figure 3 is a Ifcw diagram wrtiich Ulu^tes the 
steps involvaf in a user submitting a document fbr 
secure printing; and 

Figure 4 is a flow diagram that lili^lrates tho cteps 
wTvoived in a secure printer retrieving and printinfl a 
print job. 

Best Mode For Carrying Out the Invention. & (ndustrial 
Applicability 

10031] The follawing description refers ^ecrfically to 
a printer as the hardcopy device. However, rt r$ ompha- 
si$ed that the same prindples appty to other hardcopy 
apparatus such a5 facsimile machines. 
[0032] In Figure 1 , a local computer ICQ, for example 
an Intel Pentium based computer operating under Win- . 
dows NT 4.0, includes the standard components of a 
keyboard, a display and a mouse (none of which are 
ehown). The local computer 100 is attached to a net- 
work 1 1 0. for example a network supporting the TCP/IP 
protocol. The local conrputer 100 provides a secure 
printer process, wf^fch is a software routine that can be 
initiated by a user when secure printing is recjuired. The 
process, and all other processes in this en^xxiiment. 
can be written in any general purpose programming lan- 
guage, such as Visual C++, 

[0033] Also connected to the network 1 10 are a direc- 
tory server 120, a document store 130. a secure printer 
140 and billing engine 150, 

[0034] The directory server 1 20 (S a process running 
on a computer, which has access to a database 125 of 
user*specific information, known as user-profifes. The 
directory server 1^ is arranged to receive from 
requesting processes requests for specific irrformation , 
tor particular user^, and returns the specif io information 
to the requesting process, whenever possible. The com- 
puter running the directory server 120 coufd be a Um'x 
or Windows NT platform connected fo the network 100 
via an appropriate interface. The directory server 120 in 
the present embodiment is a elmpfe database, which 
receives enquiries and returns relevant data, but it could 
be based on purpose buiit directory services such as 
Novell's NDS or Microsoft's Active Directory. In accord- 
ance with the present erpbodiment. the directory server 
120 is configured to receive a request including a user 
Identity and return at least a public encryption key asso^ 
ciat«i with the identified user. Communications with the 
directory server 120 may be with a network protocol 
such as the Ughtweight Directory Access Protocol 
(LDAP). 

10035] The document store 1 30 is process running on 
a computer which receives and stores encrypted docu- 
ment files and associated user identities. The document 
store 130 also receives requests to forwvard to specified 
locations encrypted document files having a specified 
iderttity Again, the computer running the directory 
server 120 could be a Unix or Windows NT pfatform 
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connected to the network 100 via an appropriate inter- 
tace. 

[0036] m practica, the document store 130 can be a 
rrxxJif ied print spooler or print server process, which has 
access to a large amount of data etorago. fbr exanple 
provided by a disk drive 135. The spooler or server is 
modified In the respect that it is arranged to recognise 
encrypted documents and. rather than forvfarcfing them 
to a epeafic printra-, hdW or store the encrypted docu- 
5 ments. TTie spoofer or server is also modified to receive 
requests fnom printers Ibr specific encrypted docu- 
ments, search for the specified encrypted documents 
and transfer the encrypted documents to-the requesting 
printer 

r [0037] It should be noted that the document store 1 30 
in the present embodiment is an untrusted part of the 
distributed system, in that the document store 130 is 
configured to return documents to any requesting 
printer, or other device using an appropriate protocol. 
The present embodiment relies on the security of the 
strong encryption applied to the document to protect the 
information in the document 

[0038] In other embodiments, where security is even 
more important, it ifi envisaged that the document store 
1 30 would further tncorporate auf herrtk;ation functional- 
ity, which would allow the document store to authenti- 
cate either the requesting printer or smart card user. 
Authentication systems using, for example, digital sig- 
natures are well known and wiJf not be considered 
herein in any more detail. 

[0039] The architecture of the printer 140 according to 
the present embodiment is illustrated in more detail in 
Figure 2 Figure 2 illustrates a central processing unit 
(CPU) 200 that controls a print engine 210, which is a 
standard part of any printer that enacts printirng, and the 
details thereof are beyond the scope of the present 
description. A read only memory (ROM) 220 is con- 
nected to the CPU 200 by an appropriate system bus 
205. The ROM 220 contains the instructions tfiat form 
the control program fbr the printer. Also connected to 
the system bus 205 is non-volatile memory (NV-RAM) 
2^ and main rr^emory (DRAM) 240. The NV RAM 230 
can be E2PROM or Rash RAM for receiving and storing 
services downfooded into the printer The DRAM 240, is 
used by the printer as buffer memory, for receiving jobs 
to be printed, and is also used by the CPU 200 in the 
present ernbodlment as workspace for decryption and 
session key storage. All the features of the printer 140 
descrit>ed so far are starxjard on many generally availa- 
ble printers. The diagram also illustrates the standard 
printer features of a network interface 250, various sen- 
sors 260, for exanple 'paper out\ and a front panel dis- 
play and keypad 270. all connected to the CPU via the 
system bus 205, Finally, a smart card reader 260 is pro- 
vided, also connected to the system bus 205. although 
it could alternatively be connected via the printer's 
RS232 port, where one is available. Thus, the only sig- 
nificant non-standard hardware feature of the printer is 
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the smart card reader 280. The other differences 
depend on software or linmware procQS^uig. 
[0040] Smart card readers are generaU/ «vaiEable and 
conform to accepted standards. The &nwt ca^d reader 
used in the pre&errt embodiment Supports the ISO 781 6 5 
standaid (levels 1 to 4), and some extra functionality not 
CO^/ered by the ISO standard, which is described herein. 
Corresponding smart cards are also readily availat^Ie. 
arxl are pfX>grammable to operate as described herein. 
[0041] In practice, the smart card reader can be incor- io 
porated into the casing of a standard printer. Thus, m 
this case, Ihe only significant, noticeable difference 
about the printer is a stot 1 43 in the casing into which a 
smart card 145 can be inserted and retrieved. 
[a042J Printers which generally have the features illus- is 
trated in Figure 2 are a Hewlett-Packard LaserJet 5 or a 
Hewlett-Packard LaserJet 4000^ In either printer, the 
printer's conventional control progmm can be modified 
as de5<7ibed herein, by eithei: replacing the printer's 
firmware. In ROM 220, or by creating a 'service', which so 
can be downloaded into the printer's flash memory, NV- 
RAM 230. from the network. 

[0043] Details on how to modify control programs in 
Hewlett-Packard and others' printers are beyond the 
scope of the present descr^tion, but are readily availa- £5 
We from Hewlett-Packard Company oc from the respec- 
tive other printer manufacturers. 
[0044] The biUing system 1 50 is a process running on 
a computer which eJectronically bills users of the secure 
printing system. There are three main are«s where 3o 
users could be biJIed, which are lor: submisston of an 
encrypted document to the document store 130, stor 
age by the document store 130 of a document for a 
specified time: and transmission and successful printing 
of the document- Other acts, such as using the directory 35 
server 120. could potentially also be billed. The sender 
or the recipient or both, could be billed for any or each 
of these acts. For example, the sender coukJ be bifled 
tor the submission, and the recipient couW be billed for 
the siorage and printing of the document. Of course, the 4o 
sender arxJ the recipierrt nn'ght be the same person, or 
differertt people from the same organisation, in which 
case a single person or organisation respectively would 
be billed for everything. Further, the owner of the docu- 
ment store and the owner of the printer might be differ- +5 
ent independent service providers. For example, in the 
case where the printer is in a pvrijiic pface. and is for use 
by the public, then the printer's owner would want tHTan- 
cial reward for providing the service. Therefore, rt would 
be necessary for a printer 1o identHy itself in enough &q 
detail that the billing system 150 could allocate billed 
f urxJs to the printer's owner. 

(0045] For every act, it fs necessary to identify the 
party to be billed and the party to be paid Electronic 
identification and authentication for the purposes of ss 
electronic billing are well known in the field of electronic 
commerce, and will not therefore bo discussed in any 
rT>ore detail herein. 



[0046] The qperation of the local gprnputer 1 00 in sub- 
mitting a secure print job will now be described with ref< 
erenca to the flow diagram in Figure 3- 
VM471 in Giep 300 of Figure 3, tho local computer's 
Operator (not shown), iri ether words the documenrs 
sender, has a document, for exarrpfe a word-processed 
document to be submitted for pnnting. The serxier inltl> 
ates the secure pdndng process for tfie secure printing 
of ^0 document in step 305. The secure printing proc- 
ess, in step 310, generates a graphical user interface, 
which requires Ihe serder to enter the document details 
arri the identity of the inteixied recipient. Of course, the 
intended recipient might be the serKter himself. The 
sender enters the required details in step 31$. Having 
received a vafid input from the serxler, the process, in 
step 320, continues by transmitting a request including 
the details ir^XJt by the sender to the directory server 
120. In response, the directory server 1 20 retl^ns to the 
secure printing process Ihe public key tor the intended 
recpient in step 325. 

[0049] Next in step 330. the secure printer process 
formats the document into a page description language, 
such as PostScript or PCI-, which Is interpretaWe by a 
printer. Obviously, the language will depend on the type 
of printer or other hardcopy apparatus to be used. The 
secure printer process then, in step 335. applies bulk 
encryption to the formatted document while retaining its 
integrity. This can be achieved using a message digest 
function such as the Secure Hash AigorHhm (SHA-1) 
and a symmetric block or stream ciptier. for instance, 
Data Encryption Standard (OES). The cipher uses a 
random number gene*^ed by the secure printer proc- 
ess to enact the encryption. The random number consti- 
tutes a session key. This step is a symmetric encryption 
Step, which relies on a recipient having access to the 
session key to decrypt the document. 
[0043] Alternative message digest algorithnr^, such as 
M05. symmeiric cJpKer^ such as CAST or IDEA, and 
asymmetrte algorithms such as the Elliptk: Curve EIGa- 
mal encryption scheme can be used instead of the algo- 
rithnfts specified earlier. 

[00501 In Step 340. the secure printer process then 
applies an asymmetric ervryption algorithm, such as 
RSA, to the session key, using the irrtended recipient's 
retrieved publk; key. Thus, alter this step, only ^orrieone 
who has knowledge of the private key associated with 
the put)l(c key can decrypt the session key and hence 
then decrypt the document. 

[00511 In step 345, the secure printing process for- 
wareis agross-^ie network 110, to the document store 
130. a message cxjmprising the encrypted document, 
an 'efTvelope' for the document (which contains the 
encrypted session key), and the respective identity of 
the intended recipient, 

[0052] Finally, in step 350, the document store 130 
receives the message and stores it appropriately to 
handdisk135. 

£0053] The process of securely printing a document 
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felrievod from the doctimertt store 130 will now^ be 
described with reference to the f tow diagium in Figure 4. 
[00S4] In step 40f> of Rgure 4, the imenoed recipienf 
of the docuTfteri!. which has been stored by the docu- 
ment stare 130 as described already, inserts his emart 
card into the smart Card reader 280 of the secure printer 
140. The smart card includes itie recipient's identity and 
the f ecipienfs private key. AHhough not illustrated in the 
flow diagram, it would be typical at this stage for the 
printer 140 to request entry by the recipient of a per- 
sonal identification number, to verify that the recipient is 
the genuine ouwier of the snftart card, and not someone 
who has found, or wen stolen, rt 
[0055] Ihe smart card reader 280 reads the smart 
card, in step 406, and extracts the identity therefrom. 
Then, in step 410, the srnart card reader 280 forwards 
the iderrtity to the printer's CPU 200. The CPU 200 
receives the identity in step 415 arxl generates a mes- 
sage inctuding the identity, rn step 420, which it forwards 
to the docuntent store 130 in step 425, 
[0056] In step 430, the dcx:ument ctore 130 recefves 
the message and. in step 435. searches the hard disk 
135 for any documents having the same'identity. In the 
present embodiment the document store 130 will find 
one document. However, in general, there may be none, 
or any number of doajments having a matching iderrtity 
stored on the hard disk 1 35. At this stage, the document 
store 1 30 and printer i 40 may be arranged to interact to 
provide status information to the recipient, displayed on 
a front panel display 270 of the printer, fbr example 
showing the number of documents awaiting printing, or 
that there are no documents wafting, 
f0057] Next, in step 440. the document store 130 
returns to the primer 140 only the ervelope for the doc- 
ument having the matching identity. In principle, the 
document could be sent at this stage as well, although 
whether or not this is done depends on the size of the 
document and the amount of available printer buffer 
memory. It is believed preferable at present to retrieve 
only the envelope, unless the printer 140 has a signifi- 
cant amount of RAM 240 irtto whJch the whole docu- 
ment could be recefv^. 

[0053] In step 445, the primer receives the envelope 
and. in step 450, forwards the ericrypted session key to 
the smart card reader 280, The smart card reader 280 
transfers the encrypted session key to the smart card, 
and the smart card, irt turn, decrypts the session key, in 
step 455, using the private key stored therein. The 
smart card outputs the decrypted session key. in step 
460. and the smart card reader 280 fonwards the ses- 
sion key to the CPU 200, in step 465.. 
[0059] Ttiis technique for retrieving the session key is 
extremeCy advantageous, since the private key never 
needs to leave the smart card, and thus remains secret. 
[0060] The primer 140 forwards a message io the doc- 
ument store 130, in step 470. for the document store to 
transnrut the encrypted document to the printer 140. In 
step 475, the document store 130 receives the mes- 



208 3S6 3958 P. 09/35 



a51d2A1 10 

sage arid, irt step 480, transmits the document to the 
printer t40. In step 485, the printer 140 recefves the 
document and. in step 490. deciphers it back into page 
description language u^"f>g the session key 
s [0061] Finally, in step 495. the printer prints the docu- 
ment for the intended rectpient 
[00621 It will be appreciated tfiat the networl? no 
could be a local area network, a wide area network or 
even gtobal anea nertwork. For oxarr^le. for the case of 
10 a gfobaf area networK the local computer i oo could be 
situated in an office in London and the printer could be 
located in an airport in Tokyo or New Vfcwk. Similarly, the 
directory server 120 and the document s^ore 130 could 
be located anywhere in tfw worfd 
[0063] In some embodiments, for responsiveness pur- 
poses, it may be desirable to have mln^or document 
stores (not shown) - simiJar to Internet mirror sites ^ 
where the data rn one store is copied by the store to 
other, geographrcaily distant document stores. Thus, for 
20 example, there may be a London^based data senrer, 
and Tokyo and New Yofk-based data ser/er^. On 
receiving a documwt. the Lxjndon data server would 
copy Ihedocument to both the Tokyo and New York data 
servers so that the recipient could retrieve and print the 
P5 document from the data server nearest the printer being 
used. Obviously, the data mirroring couJd be tuned if it is 
knqwn where the recipient is nrkost likely to be when he 
wishes to print the document- For esjfample. if the recipi- 
ent were fikely to be in New York, but might instead be in 
30 London, then a document submrtted in London would 
only be mirrored to the New York-based data sen/er. 
Such recipient location information could form part of 
the user profile information stored by the directory 
server 120. Thus, the location information under these 
3s circumstances would also be returned to the Jocal com- 
puter 100 with the puWIc key information, and this infor- 
mation would also be tonA/arded to the document store 
130. 

[00641 It is envisaged that the directory server 1 20 wiM 
'to hold other user profile information. For ejtample. a redp- 
tent may only ever wish to receive documents from one 
specified printer In this case, the infbnnation returned 
by the directory server 120 would reflect this and the 
document store 130 would then onJy release the 
45 encrypted document to the specified printer. Other infor- 
mation hekJ by the directory server 120 for particular 
users might include printer informatron. which deter- 
mines how the document is forn^atted by the local com- 
puter 100. for example whether to forniat the document 
5i) into PostScript or PCU In general, it is expected that the 
user can access the directory server 1 20, for example 
via the Internet, and modify his user profile whenever 
required. 

[0065] It will also be appreciated that the components 
55 and processes descrd^ed above need not resrde on dif- 
ferent computers. For example, the local computer 10o 
cQuW support the directory server and document store 
prcx:esses. as well as a secure printer process. 
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[0066] Furthermore, there ts no reason why any Or alt 
of the prtx:esse$ described herein could riot be located 
and called from any of a number of d'rfferent coniputer 
^yderns connected to the distraxited environm^ Hav- 
ing Gaid this, ft is important although not essentia, that s 
documents that require se<^re pdnttng do not pass 
across any pijt>licly accesGiblQ or low security communi- 
catjons channels, without being in an encrypted 
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1, Hardcopy apparatus arranged lor receiving, 
decrypting and rendering documents, the liardcopy 
apparatus comprising: 

interface means for receiving from a document 

source an encrypted document; 

processing means cortfi^rured far decrypting 

the encrypted document; and 

rendering rneans for- producing a hard copy of so. 

the decrypted document 

2- Hardcopy apparatus according to claim 1. further 
comprismg input/output means for communicating 
with a removakile processing means. ss 

3, Hardcopy apparatus according to daim 3, wherein 
the input/output means (s a emar] card read^ and 
the removable processing means is a smart card 
received by the smart card reader, so 

4. Hardcopy apparatus according to claim 4, wherein 
the processing means is configured for receiving 
Information from the smart card reader, when a 
smart card ts received thereby, and using the infor- 3s 
mation to retrieve and decrypt an encrypted docu- 
mant 

6. Hardcopy apparatus according i:laim 4, wherein the 
processing means is configured for: 4d 

receiving from the smart card an identity and 
sending a first message via the interface 
means to the doctjnent source* the message 
induding al least an indication of the identity; 
and 

receiving from the document source via the 
interface means, in response to the first mes- 
sage, a return message including at least an 
encrypted session key lor an encrypted docu- so 
ment stored by the document source and hav- 
ing a matching identfty. 

6. Hardcopy apparatus according to claim 5, wherein 
the processing means is configured for sending the 55 
encrypted session key to the smart card reader, for 
the smart card to extract the session key, and 
receiving back the $ession key. 
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7. Hardcopy apparatus according to claim 6. wherein 
the processing means ts configured far using the 
session key to decrypt the encrypted document. 

6. Hardcopy apparatus according to any one of the 
preceding claims, comprising a printer, 

9. Hardcopy apparatus according to any on© of cfaims 
1 to 7. connprisJr^o a facsimile machine. 

10. A method o^ controiJing hardcopy apparatus to 
render an encrypted document, comprising the 
steps of: 

retrieving from a document source an 

encrypted cJcx;ument; 

decrypting the erwrypted document; and 

rendering Hie document to produce a hardcopy 

thereof. 

11. A method according to claim 10. further comprising 
the ^ep of providing the hardcopy apparatus with 
identity iriformation. to determine which document 
the hardcopy apparatus retrieves. 

12. A method according to claim 10 or claim 1 1 /further 
comprising the step of provfding tfie hardcopy 
apparatus with decryption information to enable the 
hardcopy apparatus to decrypt the retrieved docu- 
ment, 

13. A method ac<x>rding to daim 11 or daim 12. 
wherein the identity information is stored on a smart 
card arid is transferred to the hardcopy apparatus 
by means of a smart card reader associated with 
the hardcopy apparatus. 

14. A metlKxi aocarding to any one of claims 10 to 13, 
further comprising the step of retrieving from the 
document source an envelope associated with the 
encrypted docunnent, the envelope comprising a 
session key encrypted using a puWic key encryp- 
tion algorilhrn. decrypting the session key using a 
corresponding private key. and decrypting the doc- 
ument using the sessran key. 

1 5* A method accoriiing to claim 1 3. wherein the step of 
decrypting the session key is enacted by a smart 
card, whfch is received by a smart card reader 
assodated with the hardcopy apparatus. 

16. A computer system arranged tor secure rendering 
of documents, t^e system comprising: 

secure prirrting means for encrypting a docu- 
ment lor an intended redpienl and forwarding 
to a document 5tore means the encrypted doc- 
ument with identity inforrr^atton of the intended 
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recipient: 

document Store mearis for recctving encrypted 
documents and respectfve identity information 
and storing said encrypted dOCwnents and 
respecth/e information, and for receiving 
requests from hardcopy apparatus for docu- 
menis having a specific identity and serxJing 
respective documents to the respective 
requesting hardcopy apparatus; and 
hardcopy apparatus arranged for requesting of 
the document store means transfer of 
encrypted documents having a specific identity, 
decrypting received documents and rendering 
in hardcopy form decrypted documents. 

17. A computer system as ctaim^ in daun 16. wherein 
the secure printing means is arrange for enacting 
putjJic key encryption and the hardcopy apparatus 
is arranged for providing corresponding pf ivate Key 
decryption. 



IS 



S0 



18* A computer system as daimed In claim IS or claim 
1 7, wherein the hardcopy apparatus is arranged for 
sending data tfiat is encrypted wrth a pubTi c key to a 
removatjfe processing means for decryption 2s 
thereby using a corresponding private key 

19. A computer system as claimed in dafm 18. wherein 
the hardcopy apparatus comprises a smart card 
reader and the removable processing source is a 3d 
smart card. 

20, A document server, comprising document process- 
ing means arranged for: 



receiving encrypted documents; 

storing encrypted docunRents; 

receiving requests for specific dociffnents; 

searching the stored documents for the specific 

documents: and 

returning found documents to the requesttng 
party. 
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